This invention relates to methods and systems for managing security in communication sessions across networks, and more particularly, to a methodology and system for managing security in telephony sessions over hybrid networks such as combined switched telephone networks and packet switched internetworks, such as the Internet. In one aspect the invention relates to an improved firewall mechanism and methodology for providing real time firewall security.
In providing a gateway between a secure network, such as a switched telephone network, and an unsecured network, such as the Internet, the protection and maintenance of network security immediately becomes a concern. Protecting a secure network from unauthorized use or attack is of paramount importance to any organization. When the secure network constitutes the public switched telephone network (PSTN) the seriousness of the threat is self-evident.
The potential development of telephony over the Internet technology as a viable commercial telephony service has attracted interest by both equipment and software vendors and long distance and local exchange carriers. However, the commercial opportunity carries with it the problem of maintaining network security. Connectivity and security are two conflicting objectives in any computing environment. In the context of providing telephone service over the Internet the basic problem of minimizing latency assumes even larger importance.
In communicating with essentially real time applications such as telephony via packets, there is a need for both consistency and speed. The packets must arrive on a consistent basis and they must arrive quickly. Generally speaking, when any type of security scheme is implemented, some latency or inconsistency is introduced into the data stream. When a very limited number of streams are involved the problem is manageable. However, as the number of streams starts increasing, it is much more difficult to provide adequate security at an acceptable cost without introducing quality of service problems.
An acceptable response to the problem of access control must be effective, economical, and transparent to users. Packet filtering is a method which allows connectivity yet provides security by controlling the traffic being passed, thus preventing unauthorized communication attempts and attacks upon the protected network. Current implementation of packet filtering allows specification of access list tables according to a fixed format. This lacks flexibility and entails excessive expense when the firewall is designed to cope with the problems presented in packetized voice.
U.S. Pat. No. 5,606,668, issued Feb. 25, 1997, to Gil Shwed, for a System for Securing Inbound and Outbound Data Packet Flow in a Computer Network, proposes one solution. According to the Shwed patent there is provided a system administrator having a graphical user interface (GUI) for entering security rules. FIG. 3 of that patent illustrates the computer screen upon which the system administrator depends. Network objects and services are two of the aspects of the network which must be defined by the administrator.
The monitor computer screen is used to define network objects such as workstations, gateways, and other computer hardware connected to the system. Various devices are grouped together such as, for example, the finance department, the research and development department, and the directors of the company. This is intended to provide flexibility in tailoring security rules to manage various filters to provide the degree of access desired for the various computers or the devices which are grouped together. It is thus possible to have the chief financial officer as well as other higher-ranking officials of the company, such as the CEO and the directors, able to communicate directly with the finance group, but filter out communications from other groups. This allows the administrator or system operator to provide internal security as well as external security.
Network services are also represented on the screen from which the administrator or operator works. Graphic symbols and color are utilized to ease the burden on the operator. This makes it possible for the operator to enter new rules without the need for writing, compiling and checking new code for this purpose. The information entered on the GUI is then converted to a filter script containing the rules to be utilized by the packet filter.
While the system described in the Shwed Patent may be effective for its intended purpose, it requires the service of an operator at the computer terminal, and does not provide the flexibility and speed necessary for handling security desired at the junction of the Internet and a switched telephone network.
Another possible approach to the problem which has been suggested is the use of a proxy server or proxy application for purposes of providing a firewall. However, while this might be considered for a very low number of users, latency increases exponentially as the number is increased. Application proxies would not be capable of handling the number of calls expected in this application except at a prohibitive cost.
It is an object of the invention to provide an improved system and method for implementing security for a telephone network in a telephony over the Internet application.
It is another object of the invention to provide network security to a secured network connected to an unsecured packet network for providing audio and/or video service.
It is still another object of the invention to provide a mechanism and method for implementing improved firewall functionality.
It is another object of the invention to provide real time security that is dynamic and changes and adapts to conditions.
It is a further object of the invention to provide protection to a switched telephone network which is interfaced to an unsecure packet network, such as the Internet, for implementing audio or video communication.
It is another object of the invention to provide an improved firewall mechanism for filtering packetized voice signaling to enforce conformance to automatically created filter parameters which are customized on a per-conversation basis.
It is still a further object of the invention to provide a system for conducting a voice communication through a hybrid network which comprises a packet internetwork connected to a switched telephone network via a static filter device, a packet switch, a gateway, and a control processor connected to the packet switch and to the filter device, wherein the filter device generates a real time copy of call set up signaling therethrough, which copy of set up signaling is delivered through the packet switch to the control processor, with the control processor generating therefrom a filter device control signal which is delivered to the filter device and which reconfigures the filter device.
Additional objects, advantages and novel features of the invention will be set forth in part in the description which follows, and in part will become apparent to those skilled in the art upon examination of the following or may be learned by practice of the invention. The objects and advantages of the invention may be realized and attained by means of the instrumentalities and combinations particularly pointed out in the appended claims.